Its been a little hectic lately around the work place and I have been temporally diverted from my daily tasks to help out on a few new issues. This has caused me to be somewhat pulled away from the Security Front lines. Because of this, I wanted to create a post a little more opinionated and take a look at the big picture instead of focusing on recent trends or new discoveries.
The inspiration for writing this post is coming from a not so sober night in Vegas for defcon a couple weeks ago. While I was there I was able to meet up with a fellow peer and create a sloppy unsober discussion on security. I couldn't really tell you what we were discussing but one part that stuck out in my mind was when I was called up do defend the product I work for (again). I am not saying that I fully agree with the development of my product because I am on the security side of things and will always take a security standpoint on the product discussion and its issues. Working here and having discussions with our product manager and understanding the role of business has definitely led me to have a better understanding of what is best for the product, might not be best for business and vice versa. I know that is a vague statement, but I will leave it at that (and that is another discussion in itself).
Now back to our intoxicating night in Vegas, the statement that has stuck with me was when I was explaining the McAfee Secure product and how I truly believe that we are doing a large part in increasing the security of e commerce websites on the internet. I honestly felt that I believed that the McAfee Secure product does make a difference in the overall big picture of security and I brought up the example of SQL injection. I did not disclose numbers (frankly because it would be hard to calculate) but I expressed that I believe that the McAfee Secure product has disclosed thousands and thousands of exploitable SQL injection vectors and that an incredibly large majority of those have been re mediated (at least 99%). I feel that since the creation of McAfee Secure (originally ScanAlert) in 2001, the product itself has made as much as an impact as any other security scanning solution out there. I have never gone out and researched this, but I do not really feel that it is necessary, because it is purely my opinion.
The part that really made this discussion stick in my mind is the response, "I have a lot of trouble believing that". There is nothing wrong with this response and honestly it is coming from a peer that I respect (and I am sure he will most likely read this post). What got me, was that I do feel that there is a huge misunderstanding and the belief that a product such as McAfee Secure is a worthless security product or does not provide an effective security solution.
I am not going to touch on why I do not agree with this opinion or why I believe that this opinion has formed (because I like to keep my posts neutral). What I do wish to say, is that it seems to be a common thing out there in the world of security. It seems that size, success, standards, understanding, goal, marketing, etc etc all have a place in determining if a product is successful as a security solution or not.
Now the BIG PICTURE. Where does this all come in. Well for me, it all fits together in the overall understanding of The PCI security Council and their feat ahead of them. Or the major financial institutions or major e commerce websites who are attempting to attack security on a daily basis. How it might be difficult to build and maintain a security solution based on the fact that there are now security issues that might not have been an issue when the company/product was first created. I will leave all of these issues and solutions to your own opinion. We all face challenges in security and making the internet a safer place. We all have difficulty in understanding other businesses practices and their methods of achieving success in security. We have all heard the issue of how do you make a network (or internet) that was never designed to handle security controls, a more secure environment.
In closing, I have over the last few months of complaining about PCI and their method of delivering an effective security solution to e commerce, come to settle down and give them a little credit for trying to accomplish such a difficult task without having a large impact on the functionality of e commerce itself. I do believe that their product is making an impact and although it is not the method that I would run with, it is becoming more and more effective and gaining ground an inch at a time.
That is just my opinion and ill let your own opinions run with this.
Posts
